Lines Matching defs:state
149 /* state tables */
376 pf_state_lookup_aux(struct pf_state **state, struct pfi_kif *kif,
379 if (*state == NULL || (*state)->timeout == PFTM_PURGE) {
385 (((*state)->rule.ptr->rt == PF_ROUTETO &&
386 (*state)->rule.ptr->direction == PF_OUT) ||
387 ((*state)->rule.ptr->rt == PF_REPLYTO &&
388 (*state)->rule.ptr->direction == PF_IN)) &&
389 (*state)->rt_kif != NULL && (*state)->rt_kif != kif) {
400 *state = pf_find_state(kif, &key, direction); \
401 if (*state != NULL && pd != NULL && \
403 pd->flowhash = (*state)->state_key->flowhash; \
405 if (pf_state_lookup_aux(state, kif, direction, &action)) \
1203 pf_src_connlimit(struct pf_state **state)
1207 (*state)->src_node->conn++;
1208 VERIFY((*state)->src_node->conn != 0);
1209 (*state)->src.tcp_est = 1;
1210 pf_add_threshold(&(*state)->src_node->conn_rate);
1212 if ((*state)->rule.ptr->max_src_conn &&
1213 (*state)->rule.ptr->max_src_conn <
1214 (*state)->src_node->conn) {
1219 if ((*state)->rule.ptr->max_src_conn_rate.limit &&
1220 pf_check_threshold(&(*state)->src_node->conn_rate)) {
1228 if ((*state)->rule.ptr->overload_tbl) {
1235 pf_print_host(&(*state)->src_node->addr, 0,
1236 (*state)->state_key->af);
1240 p.pfra_af = (*state)->state_key->af;
1241 switch ((*state)->state_key->af) {
1245 p.pfra_ip4addr = (*state)->src_node->addr.v4;
1251 p.pfra_ip6addr = (*state)->src_node->addr.v6;
1256 pfr_insert_kentry((*state)->rule.ptr->overload_tbl,
1260 if ((*state)->rule.ptr->flush) {
1273 (*state)->state_key->af &&
1274 (((*state)->state_key->direction ==
1276 PF_AEQ(&(*state)->src_node->addr,
1278 ((*state)->state_key->direction == PF_IN &&
1279 PF_AEQ(&(*state)->src_node->addr,
1281 ((*state)->rule.ptr->flush &
1283 (*state)->rule.ptr == st->rule.ptr)) {
1285 st->src.state = st->dst.state =
1297 /* kill this state */
1298 (*state)->timeout = PFTM_PURGE;
1299 (*state)->src.state = (*state)->dst.state = TCPS_CLOSED;
1373 printf("pf: state insert failed: %s %s ", tree, kif->pfik_name);
1429 /* if cur != NULL, we already found a state key and attached to it */
1444 printf("pf: state insert failed: "
1502 /* process a fraction of the state table every second */
1538 pf_state_expires(const struct pf_state *state)
1548 if (state->timeout == PFTM_PURGE)
1550 if (state->timeout == PFTM_UNTIL_PACKET)
1552 VERIFY(state->timeout != PFTM_UNLINKED);
1553 VERIFY(state->timeout < PFTM_MAX);
1554 t = state->rule.ptr->timeout[state->timeout];
1556 t = pf_default_rule.timeout[state->timeout];
1557 start = state->rule.ptr->timeout[PFTM_ADAPTIVE_START];
1559 end = state->rule.ptr->timeout[PFTM_ADAPTIVE_END];
1560 states = state->rule.ptr->states;
1568 return (state->expire + t * (end - states) /
1573 return (state->expire + t);
1638 if (cur->src.state == PF_TCPS_PROXY_DST) {
1713 /* get next state, as cur may get deleted */
1719 /* unlink and free expired state */
1899 printf(" %u:%u", s->src.state, s->dst.state);
3956 /* initialize state key from psk, if provided */
4626 /* prepare state key, for flowhash and/or the state (if created) */
4717 /* create new state */
4743 * This squelches state creation if the external
4744 * address matches an existing incomplete state with a
4746 * partial state is allowed for each external address.
4851 s->src.state = TCPS_SYN_SENT;
4852 s->dst.state = TCPS_CLOSED;
4856 s->src.state = PFUDPS_SINGLE;
4857 s->dst.state = PFUDPS_NO_TRAFFIC;
4867 s->src.state = PFGRE1S_INITIATING;
4868 s->dst.state = PFGRE1S_NO_TRAFFIC;
4872 s->src.state = PFESPS_INITIATING;
4873 s->dst.state = PFESPS_NO_TRAFFIC;
4877 s->src.state = PFOTHERS_SINGLE;
4878 s->dst.state = PFOTHERS_NO_TRAFFIC;
4921 /* allocate state key and import values from psk */
5008 s->src.state = PF_TCPS_PROXY_SRC;
5503 gs->src.state = gs->dst.state = PFGRE1S_NO_TRAFFIC;
5543 pns_state = &gs->dst.state;
5545 pac_state = &gs->src.state;
5550 pns_state = &gs->src.state;
5552 pac_state = &gs->dst.state;
5704 gs->src.state = gs->dst.state = PFGRE1S_NO_TRAFFIC;
5743 "inserting GREv1 state.\n"));
5790 pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif,
5821 if (direction == (*state)->state_key->direction) {
5822 src = &(*state)->src;
5823 dst = &(*state)->dst;
5825 src = &(*state)->dst;
5826 dst = &(*state)->src;
5829 if ((*state)->src.state == PF_TCPS_PROXY_SRC) {
5830 if (direction != (*state)->state_key->direction) {
5835 if (ntohl(th->th_seq) != (*state)->src.seqlo) {
5839 pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst,
5841 (*state)->src.seqhi, ntohl(th->th_seq) + 1,
5842 TH_SYN|TH_ACK, 0, (*state)->src.mss, 0, 1,
5847 (ntohl(th->th_ack) != (*state)->src.seqhi + 1) ||
5848 (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) {
5851 } else if ((*state)->src_node != NULL &&
5852 pf_src_connlimit(state)) {
5856 (*state)->src.state = PF_TCPS_PROXY_DST;
5858 if ((*state)->src.state == PF_TCPS_PROXY_DST) {
5862 psrc = &(*state)->state_key->gwy;
5863 pdst = &(*state)->state_key->ext;
5865 psrc = &(*state)->state_key->ext;
5866 pdst = &(*state)->state_key->lan;
5868 if (direction == (*state)->state_key->direction) {
5870 (ntohl(th->th_ack) != (*state)->src.seqhi + 1) ||
5871 (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) {
5875 (*state)->src.max_win = MAX(ntohs(th->th_win), 1);
5876 if ((*state)->dst.seqhi == 1)
5877 (*state)->dst.seqhi = htonl(random());
5878 pf_send_tcp((*state)->rule.ptr, pd->af, &psrc->addr,
5880 (*state)->dst.seqhi, 0, TH_SYN, 0,
5881 (*state)->src.mss, 0, 0, (*state)->tag, NULL, NULL);
5886 (ntohl(th->th_ack) != (*state)->dst.seqhi + 1)) {
5890 (*state)->dst.max_win = MAX(ntohs(th->th_win), 1);
5891 (*state)->dst.seqlo = ntohl(th->th_seq);
5892 pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst,
5895 TH_ACK, (*state)->src.max_win, 0, 0, 0,
5896 (*state)->tag, NULL, NULL);
5897 pf_send_tcp((*state)->rule.ptr, pd->af, &psrc->addr,
5899 (*state)->src.seqhi + 1, (*state)->src.seqlo + 1,
5900 TH_ACK, (*state)->dst.max_win, 0, 0, 1,
5902 (*state)->src.seqdiff = (*state)->dst.seqhi -
5903 (*state)->src.seqlo;
5904 (*state)->dst.seqdiff = (*state)->src.seqhi -
5905 (*state)->dst.seqlo;
5906 (*state)->src.seqhi = (*state)->src.seqlo +
5907 (*state)->dst.max_win;
5908 (*state)->dst.seqhi = (*state)->dst.seqlo +
5909 (*state)->src.max_win;
5910 (*state)->src.wscale = (*state)->dst.wscale = 0;
5911 (*state)->src.state = (*state)->dst.state =
5919 dst->state >= TCPS_FIN_WAIT_2 &&
5920 src->state >= TCPS_FIN_WAIT_2) {
5922 printf("pf: state reuse ");
5923 pf_print_state(*state);
5928 (*state)->src.state = (*state)->dst.state = TCPS_CLOSED;
5929 pf_unlink_state(*state);
5930 *state = NULL;
5948 /* First packet from this end. Set its state */
5991 * scale in the state record that we
6011 if (src->state < TCPS_SYN_SENT)
6012 src->state = TCPS_SYN_SENT;
6048 (dst->state < TCPS_SYN_SENT)) {
6104 *state, src, dst, ©back))
6122 if (src->state < TCPS_SYN_SENT)
6123 src->state = TCPS_SYN_SENT;
6125 if (src->state < TCPS_CLOSING)
6126 src->state = TCPS_CLOSING;
6128 if (dst->state == TCPS_SYN_SENT) {
6129 dst->state = TCPS_ESTABLISHED;
6130 if (src->state == TCPS_ESTABLISHED &&
6131 (*state)->src_node != NULL &&
6132 pf_src_connlimit(state)) {
6136 } else if (dst->state == TCPS_CLOSING)
6137 dst->state = TCPS_FIN_WAIT_2;
6140 src->state = dst->state = TCPS_TIME_WAIT;
6143 (*state)->expire = pf_time_second();
6144 if (src->state >= TCPS_FIN_WAIT_2 &&
6145 dst->state >= TCPS_FIN_WAIT_2)
6146 (*state)->timeout = PFTM_TCP_CLOSED;
6147 else if (src->state >= TCPS_CLOSING &&
6148 dst->state >= TCPS_CLOSING)
6149 (*state)->timeout = PFTM_TCP_FIN_WAIT;
6150 else if (src->state < TCPS_ESTABLISHED ||
6151 dst->state < TCPS_ESTABLISHED)
6152 (*state)->timeout = PFTM_TCP_OPENING;
6153 else if (src->state >= TCPS_CLOSING ||
6154 dst->state >= TCPS_CLOSING)
6155 (*state)->timeout = PFTM_TCP_CLOSING;
6157 (*state)->timeout = PFTM_TCP_ESTABLISHED;
6161 } else if ((dst->state < TCPS_SYN_SENT ||
6162 dst->state >= TCPS_FIN_WAIT_2 || src->state >= TCPS_FIN_WAIT_2) &&
6173 * firewall rebooted, the state table was flushed, routes
6185 * validate the connection, go through the normal state code
6186 * and keep updating the state TTL.
6190 printf("pf: loose state match: ");
6191 pf_print_state(*state);
6195 pd->p_len, ackskew, (*state)->packets[0],
6196 (*state)->packets[1],
6198 direction == (*state)->state_key->direction ?
6204 *state, src, dst, ©back))
6225 if (src->state < TCPS_CLOSING)
6226 src->state = TCPS_CLOSING;
6228 src->state = dst->state = TCPS_TIME_WAIT;
6233 if ((*state)->dst.state == TCPS_SYN_SENT &&
6234 (*state)->src.state == TCPS_SYN_SENT) {
6235 /* Send RST for state mismatches during handshake */
6237 pf_send_tcp((*state)->rule.ptr, pd->af,
6241 (*state)->rule.ptr->return_ttl, 1, 0,
6247 printf("pf: BAD state: ");
6248 pf_print_state(*state);
6253 (*state)->packets[0], (*state)->packets[1],
6255 direction == (*state)->state_key->direction ?
6273 if ((*state)->state_key->app_state &&
6274 (*state)->state_key->app_state->handler) {
6275 (*state)->state_key->app_state->handler(*state, direction,
6285 if (STATE_TRANSLATE((*state)->state_key)) {
6289 &(*state)->state_key->gwy.addr,
6290 (*state)->state_key->gwy.xport.port, 0, pd->af);
6294 &(*state)->state_key->lan.addr,
6295 (*state)->state_key->lan.xport.port, 0, pd->af);
6314 pf_test_state_udp(struct pf_state **state, int direction, struct pfi_kif *kif,
6374 *state = pf_find_state(kif, &key, dx);
6376 if (!key.app_state && *state == 0) {
6378 *state = pf_find_state(kif, &key, dx);
6381 if (!key.app_state && *state == 0) {
6383 *state = pf_find_state(kif, &key, dx);
6386 if ((*state) != NULL && pd != NULL &&
6388 pd->flowhash = (*state)->state_key->flowhash;
6390 if (pf_state_lookup_aux(state, kif, direction, &action))
6393 if (direction == (*state)->state_key->direction) {
6394 src = &(*state)->src;
6395 dst = &(*state)->dst;
6397 src = &(*state)->dst;
6398 dst = &(*state)->src;
6402 if (src->state < PFUDPS_SINGLE)
6403 src->state = PFUDPS_SINGLE;
6404 if (dst->state == PFUDPS_SINGLE)
6405 dst->state = PFUDPS_MULTIPLE;
6408 (*state)->expire = pf_time_second();
6409 if (src->state == PFUDPS_MULTIPLE && dst->state == PFUDPS_MULTIPLE)
6410 (*state)->timeout = PFTM_UDP_MULTIPLE;
6412 (*state)->timeout = PFTM_UDP_SINGLE;
6414 extfilter = (*state)->state_key->proto_variant;
6416 (*state)->state_key->ext.xport.port = key.ext.xport.port;
6418 PF_ACPY(&(*state)->state_key->ext.addr,
6422 if ((*state)->state_key->app_state &&
6423 (*state)->state_key->app_state->handler) {
6424 (*state)->state_key->app_state->handler(*state, direction,
6434 if (STATE_TRANSLATE((*state)->state_key)) {
6444 &(*state)->state_key->gwy.addr,
6445 (*state)->state_key->gwy.xport.port, 1, pd->af);
6449 &(*state)->state_key->lan.addr,
6450 (*state)->state_key->lan.xport.port, 1, pd->af);
6458 pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif,
6505 * Search for an ICMP state.
6523 (*state)->expire = pf_time_second();
6524 (*state)->timeout = PFTM_ICMP_ERROR_REPLY;
6527 if (STATE_TRANSLATE((*state)->state_key)) {
6534 (*state)->state_key->gwy.addr.v4.s_addr, 0);
6538 (*state)->state_key->gwy.xport.port, 0);
6540 (*state)->state_key->gwy.xport.port;
6553 &(*state)->state_key->gwy.addr, 0);
6570 (*state)->state_key->lan.addr.v4.s_addr, 0);
6574 (*state)->state_key->lan.xport.port, 0);
6576 (*state)->state_key->lan.xport.port;
6589 &(*state)->state_key->lan.addr, 0);
6608 * Extract the inner TCP/UDP header and search for that state.
6749 if (direction == (*state)->state_key->direction) {
6750 src = &(*state)->dst;
6751 dst = &(*state)->src;
6753 src = &(*state)->src;
6754 dst = &(*state)->dst;
6779 printf(" state: ");
6780 pf_print_state(*state);
6787 if (STATE_TRANSLATE((*state)->state_key)) {
6790 daddr, &(*state)->state_key->lan.addr,
6791 (*state)->state_key->lan.xport.port, NULL,
6796 saddr, &(*state)->state_key->gwy.addr,
6797 (*state)->state_key->gwy.xport.port, NULL,
6885 *state = pf_find_state(kif, &key, dx);
6887 if (key.app_state && *state == 0) {
6889 *state = pf_find_state(kif, &key, dx);
6892 if (*state == 0) {
6894 *state = pf_find_state(kif, &key, dx);
6897 if (*state == 0) {
6899 *state = pf_find_state(kif, &key, dx);
6902 if (*state != NULL && pd != NULL &&
6904 pd->flowhash = (*state)->state_key->flowhash;
6906 if (pf_state_lookup_aux(state, kif, direction, &action))
6909 if (STATE_TRANSLATE((*state)->state_key)) {
6912 daddr, &(*state)->state_key->lan.addr,
6913 (*state)->state_key->lan.xport.port, &uh.uh_sum,
6918 saddr, &(*state)->state_key->gwy.addr,
6919 (*state)->state_key->gwy.xport.port, &uh.uh_sum,
6979 if (STATE_TRANSLATE((*state)->state_key)) {
6982 daddr, &(*state)->state_key->lan.addr,
6983 (*state)->state_key->lan.xport.port, NULL,
6988 saddr, &(*state)->state_key->gwy.addr,
6989 (*state)->state_key->gwy.xport.port, NULL,
7033 if (STATE_TRANSLATE((*state)->state_key)) {
7036 daddr, &(*state)->state_key->lan.addr,
7037 (*state)->state_key->lan.xport.port, NULL,
7042 saddr, &(*state)->state_key->gwy.addr,
7043 (*state)->state_key->gwy.xport.port, NULL,
7079 if (STATE_TRANSLATE((*state)->state_key)) {
7082 daddr, &(*state)->state_key->lan.addr,
7088 saddr, &(*state)->state_key->gwy.addr,
7125 pf_test_state_grev1(struct pf_state **state, int direction,
7150 if (direction == (*state)->state_key->direction) {
7151 src = &(*state)->src;
7152 dst = &(*state)->dst;
7154 src = &(*state)->dst;
7155 dst = &(*state)->src;
7159 if (src->state < PFGRE1S_INITIATING)
7160 src->state = PFGRE1S_INITIATING;
7163 (*state)->expire = pf_time_second();
7164 if (src->state >= PFGRE1S_INITIATING &&
7165 dst->state >= PFGRE1S_INITIATING) {
7166 if ((*state)->timeout != PFTM_TCP_ESTABLISHED)
7167 (*state)->timeout = PFTM_GREv1_ESTABLISHED;
7168 src->state = PFGRE1S_ESTABLISHED;
7169 dst->state = PFGRE1S_ESTABLISHED;
7171 (*state)->timeout = PFTM_GREv1_INITIATING;
7174 if ((*state)->state_key->app_state)
7175 (*state)->state_key->app_state->u.grev1.pptp_state->expire =
7179 if (STATE_GRE_TRANSLATE((*state)->state_key)) {
7186 (*state)->state_key->gwy.addr.v4.s_addr, 0);
7191 PF_ACPY(pd->src, &(*state)->state_key->gwy.addr,
7197 grev1->call_id = (*state)->state_key->lan.xport.call_id;
7204 (*state)->state_key->lan.addr.v4.s_addr, 0);
7209 PF_ACPY(pd->dst, &(*state)->state_key->lan.addr,
7226 pf_test_state_esp(struct pf_state **state, int direction, struct pfi_kif *kif,
7249 *state = pf_find_state(kif, &key, direction);
7251 if (*state == 0) {
7256 * No matching state. Look for a blocking state. If we find
7257 * one, then use that state and move it so that it's keyed to
7276 *state = s;
7293 *state = s;
7298 if (*state == 0) {
7313 if (*state != NULL && pd != NULL &&
7315 pd->flowhash = (*state)->state_key->flowhash;
7318 if (pf_state_lookup_aux(state, kif, direction, &action))
7321 if (direction == (*state)->state_key->direction) {
7322 src = &(*state)->src;
7323 dst = &(*state)->dst;
7325 src = &(*state)->dst;
7326 dst = &(*state)->src;
7330 if (src->state < PFESPS_INITIATING)
7331 src->state = PFESPS_INITIATING;
7334 (*state)->expire = pf_time_second();
7335 if (src->state >= PFESPS_INITIATING &&
7336 dst->state >= PFESPS_INITIATING) {
7337 (*state)->timeout = PFTM_ESP_ESTABLISHED;
7338 src->state = PFESPS_ESTABLISHED;
7339 dst->state = PFESPS_ESTABLISHED;
7341 (*state)->timeout = PFTM_ESP_INITIATING;
7344 if (STATE_ADDR_TRANSLATE((*state)->state_key)) {
7351 (*state)->state_key->gwy.addr.v4.s_addr, 0);
7356 PF_ACPY(pd->src, &(*state)->state_key->gwy.addr,
7367 (*state)->state_key->lan.addr.v4.s_addr, 0);
7372 PF_ACPY(pd->dst, &(*state)->state_key->lan.addr,
7384 pf_test_state_other(struct pf_state **state, int direction, struct pfi_kif *kif,
7407 if (direction == (*state)->state_key->direction) {
7408 src = &(*state)->src;
7409 dst = &(*state)->dst;
7411 src = &(*state)->dst;
7412 dst = &(*state)->src;
7416 if (src->state < PFOTHERS_SINGLE)
7417 src->state = PFOTHERS_SINGLE;
7418 if (dst->state == PFOTHERS_SINGLE)
7419 dst->state = PFOTHERS_MULTIPLE;
7422 (*state)->expire = pf_time_second();
7423 if (src->state == PFOTHERS_MULTIPLE && dst->state == PFOTHERS_MULTIPLE)
7424 (*state)->timeout = PFTM_OTHER_MULTIPLE;
7426 (*state)->timeout = PFTM_OTHER_SINGLE;
7429 if (STATE_ADDR_TRANSLATE((*state)->state_key)) {
7436 (*state)->state_key->gwy.addr.v4.s_addr,
7443 &(*state)->state_key->gwy.addr, pd->af);
7453 (*state)->state_key->lan.addr.v4.s_addr,
7460 &(*state)->state_key->lan.addr, pd->af);